Fluid Attacks Database

Description

A flaw was found in Next.js. This vulnerability allows an attacker to bypass security checks in web applications that use Next.js middleware to protect specific web pages. By sending specially crafted web addresses, an attacker can access protected content without proper authorization. This could lead to unauthorized viewing of sensitive information or access to restricted features.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	next	>=15.4.0 <15.5.16 \|\| >=16.0.0 <16.2.5	15.5.16, 16.2.5
rpm rhel10	firefox	-	-
rpm rhel7	firefox	-	-
rpm rhel8	firefox	-	-
rpm rhel9	firefox	-	-
rpm rhel10	thunderbird	-	-
rpm rhel8	thunderbird	-	-
rpm rhel9	thunderbird	-	-

Aliases

1. CVE-2026-445742. NVD-2026-445743. OSV-2026-445744. GHSA-492v-c6pp-mqqv5. GCVE-2026-44574

References

1. https://github.com/vercel/next.js/security/advisories/GHSA-492v-c6pp-mqqv2. https://github.com/vercel/next.js/releases/tag/v15.5.163. https://github.com/vercel/next.js/releases/tag/v16.2.5